Description

The function openTrade is called in order to open both market and limit orders. Opening a market order requires paying the Pyth oracle fee in ETH and a valid priceUpdateData. Opening a limit order means the caller needs to pay an additional _executionFee.

However, for both market and limit orders, the value sent with the transaction is not checked. If a user accidentally sends more value than is needed for the Pyth update or sends any value with a limit transaction, it will be stuck in the contract.

Also, for market orders, the _executionFee parameter is still added to the amount of USDC transferred from the user, but then the variable is not used anywhere else, so the funds remain stuck in the Trading contract.

Impact

User error while calling the openTrade function can cause USDC or ETH to be locked.

Recommendations

Ensure that the value sent with the transaction is correct, whether or not the Pyth oracle is consulted. Ensure that the _executionFee is not taken from the user if they open a market order, or revert if it is nonzero on a market order.

Remediation

The remediation for Finding ref removed immediately-executing open orders.